jbvc/security-review
Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns.
78
78%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Quality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description has strong trigger term coverage and good completeness with an explicit 'Use when' clause covering multiple scenarios. However, the 'what it does' portion is vague ('provides comprehensive security checklist and patterns') rather than listing specific concrete actions, and the broad scope creates moderate overlap risk with other development-related skills. The description also uses second person voice ('Use this skill') which is borderline but acceptable as trigger guidance rather than addressing the user directly.
Suggestions
Replace 'Provides comprehensive security checklist and patterns' with specific actions like 'Validates input sanitization, configures secret management, applies OWASP security headers, reviews authentication flows for vulnerabilities'.
Narrow the scope or add qualifiers to reduce conflict risk with general API or authentication skills, e.g., 'security review and hardening' rather than 'creating API endpoints'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (security) and lists several areas (authentication, secrets, API endpoints, payment), but the actual actions are vague — 'Provides comprehensive security checklist and patterns' doesn't describe concrete actions like 'validates input against injection attacks' or 'encrypts secrets at rest'. | 2 / 3 |
Completeness | Explicitly answers both 'when' ('Use this skill when adding authentication, handling user input, working with secrets...') and 'what' ('Provides comprehensive security checklist and patterns'). The 'Use when' clause is present and detailed with multiple trigger scenarios. | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would actually say: 'authentication', 'user input', 'secrets', 'API endpoints', 'payment', 'sensitive features'. These cover a good range of common security-related queries. | 3 / 3 |
Distinctiveness Conflict Risk | While the security focus is somewhat distinct, terms like 'handling user input', 'creating API endpoints', and 'authentication' could easily overlap with general web development, API design, or authentication-specific skills. The scope is broad enough to risk false triggers. | 2 / 3 |
Total | 10 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is a comprehensive security reference with excellent, executable code examples across many domains, but it suffers significantly from being a monolithic document that explains concepts Claude already knows well. It would be far more effective as a concise checklist/overview SKILL.md pointing to topic-specific files for each security domain, with content trimmed to only project-specific conventions and patterns rather than general security education.
Suggestions
Reduce the body to a concise overview with the pre-deployment checklist and split each security topic (secrets, input validation, SQL injection, XSS, CSRF, rate limiting, etc.) into separate referenced files like SECRETS.md, INPUT_VALIDATION.md, etc.
Remove explanations of well-known security concepts (what SQL injection is, why XSS is dangerous) and keep only the project-specific patterns and tool choices (e.g., 'use zod for validation', 'use Supabase RLS').
Add a clear sequential workflow: e.g., 'When implementing a new API endpoint: 1. Add input validation → 2. Add auth check → 3. Run security checklist → 4. Add security tests → 5. Verify before PR'.
Remove the blockchain/Solana section unless it's always relevant to the project — it adds significant length for a niche use case that could be a separate optional reference file.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | At ~400+ lines, this skill is extremely verbose. It explains well-known security concepts (SQL injection, XSS, CSRF) that Claude already understands deeply. The ❌/✅ pattern pairs, while clear, are redundant for an AI that knows these patterns. Much of this could be reduced to a concise checklist with key code snippets only for project-specific conventions. | 1 / 3 |
Actionability | The skill provides fully executable TypeScript code examples throughout, with concrete libraries (zod, DOMPurify, express-rate-limit), specific configurations, and copy-paste ready patterns. Every section includes working code rather than abstract descriptions. | 3 / 3 |
Workflow Clarity | The skill provides checklists per section and a comprehensive pre-deployment checklist, but lacks a clear sequential workflow for when/how to apply these checks during development. There's no explicit validation-fix-retry feedback loop — it's more of a reference catalog than a guided process. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of content with 10 major sections all inline. The blockchain security section, security testing, and individual topic deep-dives (XSS, CSRF, etc.) should be split into separate referenced files. The external resources at the bottom are links, not structured skill references. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
Reviewed
Table of Contents